摘要
面向返回编程(Return-Oriented Programming,ROP)是针对软件漏洞利用最广泛的攻击技术之一,能够绕过数据执行保护、地址空间布局随机化等防御机制.本文提出了一种基于硬件的ROP攻击实时检测方法,在不需要任何边缘信息(如源代码、编译器支持)和二进制重写的情况下,利用现代CPU中的硬件性能计数器监控目标程序执行过程,提取ROP攻击发生时底层硬件事件特征来实时检测ROP攻击.然后,在32位Linux实验环境下实现了原型系统ROPDetector,使用真实的ROP攻击与漏洞进行实验,并与同类方法进行了对比实验,最后评估了系统的性能消耗.实验结果表明,该方法能有效地检测真实的ROP攻击,在分别以6次和9次错误预测返回指令为检测周期时,系统性能消耗仅有5.05%和5.25%,磁盘I/O性能消耗仅有0.94%和2%,网络I/O性能消耗仅有0.06%和0.78%.
Return-oriented programming(ROP) is one of the most common attack techniques for software vulnerabilities.Attackers can use this attack technique to tamper with the program execution flow to run malicious code.ROP attack is a generalization of the ret-to-lib attack.In the ret-to-lib attack,the attacker reuses the entire libc library.While in the ROP attack,the attacker chains available gadgets to form a spiteful attack chain to carry out the attack,which can bypass the data execution protection,address space layout randomization defense mechanism,and ultimately destroy the user-level and kernel-level software modules.Among them,gadget refers to the instruction fragment ending with the return instruction in the target program or the library function called by the target program.A series of special registers for recording the number of hardware-related activities built into the CPU of modern computers are called hardware performance counters(HPCs),which is designed for performance debugging of complex software systems.Developers can configure the HPC to monitor the execution of the target program.As with traditional software analysis tools,they can collect detailed performance information about the target program.It is helpful to understand program behavior at runtime and optimize their performance.In response to the threat of ROP attacks,a large number of researchers at home and abroad have invested in the research of ROP defense mechanisms,and have proposed a series of defense or detection methods.However,some existing defense techniques can be overcome by attackers,or suffer from high performance overhead.In this paper,we observed anomalies in exceptional underlying hardware events when the ROP attack was happening.Due to it,we proposed a real-time detection approach based on hardware without any side information(e.g.,source code,compiler support),which used hardware performance counters in modern CPU to monitor target program execution process and extracted the low-level feature of hardware events against ROP a
作者
牛伟纳
赵成洋
张小松
黄晓祥
蒋廉
张钶旋
NIU Wei-Na;ZHAO Cheng Yang;ZHANG Xiao Song;HUANG Xiao-Xiang;JIANG Lian;ZHANG Ke-Xuan(Schoolof Compuler Science and Engineering,Instilnie for Cyber Securily Universicy of Elecironic Science and Technology of China,Chengdu 611731;Cyberspace Securiey Research Center,Peng Cheng Laboratory,Shenchen,Gtuangdong 518040)
出处
《计算机学报》
EI
CAS
CSCD
北大核心
2021年第4期761-772,共12页
Chinese Journal of Computers
基金
国家重点研发计划(2016QY13Z2302)
国家自然科学基金(61902262,U19A2066)
四川省科技支撑项目(2017CC0071)资助。
关键词
面向返回编程
硬件事件
实时检测
硬件性能计数器
错误预测返回指令
return-oriented programming
hardware events
real-time detection:hardware performance counter
mis-predicted return instructions
